Black Hat: Anna Belak, Sysdig
Speaker 1: This is Techstrong TV.
Alan Shimel: Hey everyone. Welcome back to our Techstrong TV coverage, live at Black Hat here in the desert in Las Vegas, and it’s hot like a desert. I don’t know how many of you have been to Vegas lately, but walking yesterday, the wind was so warm. I don’t know if you had a chance to walk outside. I felt a little like Lawrence of Arabia or something. I was looking for the sand to hit me. But anyway, the good news is once you get into the air conditioning here at Mandalay Bay and the throngs of people are at Black Hat. I haven’t seen an official count yet, but it looks as big as it ever was. It’s certainly back.
I don’t know if you know this woman, if you’ve watched Techstrong TV, she’s been on, oh, at least a half a dozen or more times. It’s Anna Belak, she, well, she runs the cybersecurity research team over at Sysdig, and for those who don’t know, Sysdig has a pretty steady stream of reports that come out. A lot of different topics, a lot of great research and reporting coming out of there. Anyway, Anna, welcome so much in person in the flesh here in Las Vegas.
Anna Belak: It’s very cool to actually meet you in person.
Alan Shimel: It’s very nice to have you here with us. You know what, before we jump into the latest report and talk about Black Hat, let’s talk about Anna. We’ve done this on Zoom, but now we’re going to embarrass you in person. Give them a little bit of your background, if you don’t mind.
Anna Belak: My background is unusual as, I guess it’s true of all cyber people. None of us are very cookie cutter. I started out as a scientist, I did a PhD in computational physics. Into challenging problems, I guess that’s my affliction, but I get bored easily. And physics is very a long-term proposition. You have to commit to it for life. I did not have that in me. So I quit actually after the PhD and I said, I’m going to find the best job in the world, whatever it takes, and applied to hundreds of jobs. One of them was with Gartner, and I was a hundred percent convinced they would never hire me because I knew nothing about [inaudible], I was a physicist and they hired me to work on Docker containers and Kubernetes and emerging technologies. Yeah, because they were looking for folks that were smart and could figure something out that was brand new.
Alan Shimel: And no one really knew it anyway.
Anna Belak: Yeah. No one knew it. There’s not like 40 years of baggage.
Alan Shimel: Right. That’s 30 years of Docker experience in the last two.
Anna Belak: Yeah. So that’s what I did, and I spent six years there working on those systems and that security of those systems, and then eventually made my way into the real world where we try to build security tools for the new world.
Alan Shimel: Absolutely. As crazy as it sounds, your profile, in terms of what you were looking for, what you like and what interests you, is very common in the cyberspace. The cyberspace used to, I’ve been in cyber 25+ years myself. It used to be a lot of people who used to break things just to see if they can be broken and then put them back together better. And also a lot of ADD, jumping around, shiny trinkets syndrome. So you’re not, you are with your people.
Anna Belak: I am with my people.
Alan Shimel: You have found your tribe, as they say.
Anna Belak: I’ve embraced my people. Yes.
Alan Shimel: And then of course you left Gartner came to Sysdig where you’re heading up, as I mentioned, the cybersecurity research team there. And for those who don’t know, Sysdig is a leader in what’s called a cloud native security. But cloud native today is so big and so broad. They’re a leader in cybersecurity today because so much of what we do is involving cloud native. But their research division in particular has done some amazing work. Before we get into the latest report, if you don’t mind, Anna, share a little bit bigger picture about the research team and some of the stuff and work you’re working on.
Anna Belak: Sure. So this team is doing the thing that everyone hopes the vendor will do, and they’re keeping track of what the bad guys are up to so that we can build a tool that can help you defend more effectively. They have tons of approaches. They have a really impressive collection of folks there. So like X, government, X, you name it. And what their mission is to essentially design a research system. So it’s a lot of honeypots. They work on real live data as well. If something happens to a customer, we’re there to check it out. And then to summarize that into really what you should be looking for and what you should do. So if you’re a customer of Sysdig or if you’re just a business that has some kind of cloud security tooling in place, what are you even looking for? How do you know when the bad guys are there?
Alan Shimel: And this of course is a big problem because unfortunately, almost the nature of the beast is we don’t find out until afterwards when it’s hit the fan. But we are getting better though. I’ve tried really hard recently when I’m talking about cybersecurity. Breaches happen. It happens to the best of us, but we shouldn’t lose sight of the fact that we have made a lot of progress. Things are better than they were and they continually get better. Some of it because of the work that your team is doing and Sysdig in general. But overall, I mean, as an industry, we are doing, I think, better. Anyway. You guys have a new report that you’re touting a little bit out here at the show. Why don’t you tell us about it?
Anna Belak: Yeah, it’s very fun. So this is our second one. We did our first one last year, and there are some themes that we’ve followed through and there’s some new stuff. The newest, most exciting thing is probably the time element. So we know cloud is fast, it gets you provisioned fast to do something new and cool. We also speculated that the attacks in cloud would be fast for the same reason. And now we have hard data to prove that. We did a huge study setting up a bunch of different systems to see what the attackers would go after and how that would look. And so we measured specifically impact on verticals. Would they go after telco, finance, healthcare, what have you. By the way, telco number one, finance number two, not a surprise.
Alan Shimel: Not a surprise, I guess.
Anna Belak: But now look confirmed in cloud by this is purely cloud, it’s not.
Alan Shimel: Yeah, I understand.
And then the speed at which these things happen. So once they find you, which is quite easy because public API has exposed assets, et cetera, it takes them ten minutes to start hurting you.
Oh my God.
Anna Belak: Ten minutes.
Alan Shimel: Really?
Anna Belak: Which, and that’s an average, right? So in some cases it’s like seconds. If it’s a minor or malware, they just boom, it’s there. If it’s a more sophisticated kind of somewhat manual attack, it’ll be longer. But the early stages of the attacks are super fast, because it’s so highly automated. They’re like have all these scripts. They’re doing all this reconnaissance and discovery, find something juicy, send the WhatsApp message to the bad, whoever, the attacker. And then they come in and they grab the credential and off they go. And then the second element, that’s the fast, okay, it’s fast. What’s maybe even more impactful, is that it’s quite sophisticated. So these guys know cloud. And I kind of joke, but not joke. Their full-time job is breaking cloud and our full-time job is,
Alan Shimel: Trying to stop them, right.
Anna Belak: Doing what we do, well, no, we have a business to run. Well, I sell security tools, but you are a media guy. Somebody else’s [inaudible]
Alan Shimel: I don’t have a full-time, I know.
Anna Belak: The security thing is,
Alan Shimel: It’s the nature of the whole thing. It’s cat and mouse.
Anna Belak: The cat is,
Alan Shimel: Always one step behind the mouse.
Anna Belak: The mouse is fast.
Alan Shimel: Eventually we get the mouse, but there’s more mice.
Anna Belak: The mouse moves on to more, yeah.
Alan Shimel: Let me ask you a quick question on that though. So tech and finance? No, what was the…
Anna Belak: Telco and finance.
Alan Shimel: Telco and finance were number one and two. How big a drop-off was it to three and four?
Anna Belak: It’s pretty, I think so I might be wrong. Telco was 30 something percent, finance was 20 something. It’s like 34, 27, something like that. Next one was I think 15.
Alan Shimel: Oh, so it was significant.
Anna Belak: So what’s interesting, and I wish I could remember what the third one was, but I don’t. So telco finance, we were not surprised. We were actually surprised-
Alan Shimel: Healthcare may be the third one?
Anna Belak: So healthcare was low. Healthcare was only 5%.
Alan Shimel: Wow, that surprises me.
Anna Belak: And then defense was low.
Alan Shimel: Really?
Anna Belak: And so we kind of thought there would be more interest in attacking those kinds of orgs because healthcare is a huge target for ransomware, defense has always got delicious things to look for. So we have a suspicion that the cloud attackers,
Alan Shimel: Have a different priority set.
Anna Belak: Yeah, they either don’t believe they can get into those systems because they either don’t have anything valuable in cloud, or maybe they think it’s better defended. Whereas finance, telco are really wide targets wide for just fraud. So much fraud. Yeah.
Alan Shimel: Quick, quick, quick. And again, let’s just do the anatomy of this. So a lot of these attacks are set on auto, right? They’re discovering public IPs, discovering infrastructure. Then they run an automated attack schema. And then if it returns anything, that’s when it kicks off a WhatsApp or whatever to a live person who says, “Hey, I got a live one here for you.” And this is when they do their thing from that point on. You know what amazes me? I said earlier, I’ve been doing this 25 years. We always had the gut that hackers are basically lazy. They go for the lowest hanging fruit. It’s akin to walking down the hallway here at the Mandalay Bay and twisting knobs, doorknobs. And if they find one open, easy pickings. If it’s too much of a hassle to pick the lock, they’ll move on to the next one. And that’s what it seems to be here. In ten minutes, I’m making a decision. I’m in, I’m out, or I’m onto the next one.
Anna Belak: Yeah, I think that’s,
Alan Shimel: Hasn’t changed.
Anna Belak: That’s still true. The signals are a little different, now. We see for example, that the most prevalent attack is crypto mining, right? Free money is free money.
Alan Shimel: And it’s also,
Anna Belak: So the angle there is people go and look at that and they say, oh, well, crypto mining, whatever, it’s,
Alan Shimel: Just crypto mining.
Anna Belak: Who cares, if I shut it down, forget it. But,
Alan Shimel: It’s not murder.
Anna Belak: But it’s testing the doorknob. If I’m an attacker, I plant a miner, it’s not getting shut down very quickly. I’m getting a signal that this company is not paying attention. And then I go for something else. Because I’m like, okay, they’re either not very secure or they’re not very attentive to their tools. So maybe I can find more. If I plant a miner, it’s auto shut down. I’m like, okay, I’m not touching that. Not worth my time. So there is that.
Alan Shimel: I think there’s that. I think there’s also a hierarchy of criminals. I think the crypto, right, well, they’re sophisticated. I think the crypto miner does crypto mining, but when his head is full of that, he’s like, you know what? This is an easy mark. I could sell that up the food chain to the ransomware guy. Or hey, this is a potential nation state or one of these guys that I want to sell it to. And I think they do. I think they sell the access out.
Anna Belak: Absolutely. Absolutely. Yeah.
Alan Shimel: So it’s insidious. Ten minutes, my God. So what do we do to protect ourselves?
Anna Belak: Can cry softly to our pillow.
Alan Shimel: We don’t, we just hope that the lion doesn’t eat this zebra today.
Anna Belak: I mean in some sense it’s the same as always, right? Defense in depth, you need multiple controls, blah, blah, blah. I think we have to be honest with ourselves about the reality of cloud. So if we have all these romantic dreams of, oh, it’s so fast, so scalable, so wonderful, that all works in favor of the other side too. But we are enabled now to be much more secure. We can build much more resilient systems. We can redeploy systems much more quickly if there’s an issue. So if we’re leveraging all those tools, we are going to be much better positioned than we were on premise. So I think there’s a lot of hope. It’s not all doom and gloom.
Alan Shimel: No, no. You know, that’s why I prefaced it, because sometimes when we talk about this stuff, we tend to focus on the negative. The fact is it’s not all doom and gloom. There are things we could do. There are things we’re doing better. Immutable infrastructure is a beautiful thing that allows us to do that.
Anna Belak: I’m a big fan, yes.
Alan Shimel: Yes. Interesting stuff. What else is in the report that’s of maybe of interest to our audience?
Anna Belak: So one other one that’s interesting, so this builds up on last year’s work. So last year we went through Docker Hub and we looked for malicious images. One cool thing we saw last year was that you could find DDoS agents in the images, and they were actually used in the conflict between Russia and Ukraine. So you could be anybody not knowing anything about Docker or Ukraine or anything, and you could just download this thing and become part of a botnet.
Alan Shimel: You are part of the zombie nation.
Anna Belak: Which is wild, right? So this year, we did deeper analysis on malicious images in Docker Hub to see if it was easy enough to tell when they were malicious. Because right now there’s this big shift left paradigm. So we’re all scanning, scanning, scanning everything before we deploy, which is great. You want to do that.
Alan Shimel: Absolutely.
Anna Belak: But what we found was 10% of those known malicious, so definitely bad stuff, were not detectable with any kind of static analysis. So you had to run the image and analyze it in runtime before you could see the malicious behavior.
Alan Shimel: Well look, one could say 90% was detectable.
Anna Belak: Yeah, yeah.
Alan Shimel: It’s the other 10% that’ll kill you.
Anna Belak: Well, we just have runtime and out. So something because people believe that, oh, if you fix it all on the left side, we’re good forever. Obviously that’s not true.
Alan Shimel: Doesn’t happen like that.
Anna Belak: This is a quantitative metric that says 10% of time you’re just,
Alan Shimel: Let me ask you another question, because I don’t want to give Docker Hub necessarily a bad name. I don’t think Docker Hub,
Anna Belak: It’s not helpful.
Alan Shimel: Well, I’m not going to go that far either, but I don’t think Docker Hub is necessarily any worse than any of the other repos.
Anna Belak: No, no. And we scanned a bunch of repos. We just did the deep analysis on Docker Hub. Yeah. There is nasty stuff in, you name it, like GitHub, all of it. There’s lots of nasty stuff.
Alan Shimel: I’ve been talking to a couple of the repo vendors. Maybe I’m naive, but my take is you need to have a guard at the door before anyone downloads stuff from you. Some of the responsibility, Mr. Repo Owner or Ms. Repo Owner is on you to clean your act up. Because I come to you as sort of a trusted resource and you’re not. Or be upfront and say, “Don’t trust anything from me.”
Anna Belak: Well, yeah, that is a challenge. I agree with you that they bear some responsibility. I’m also a little empathetic to them because they’ve been under a lot of attacks lately.
Alan Shimel: Yes, they have.
Anna Belak: So our team has found,
Alan Shimel: It’s a hard job.
Anna Belak: Well, there were lots of attacks that caused them to tighten some of their controls actually over the past couple of years. And then our team has found attacks against them that we called free jacking. So it’s when they grabbed their freemium accounts and just abused them for tax money.
Alan Shimel: I think I interviewed you on that one.
Anna Belak: Yeah, you did. So they’re having a bad day because clearly this technology moves forward. We’re doing all these repositories, scanning, rapid deployment artifacts, et cetera. And then of course the attackers come in and they’re like, oh look, a delicious new attack’s surfacing. So yeah, cat and mouse, cat and mouse.
Alan Shimel: It is cat and mouse. But this is also one of the things about the whole cloud model was yes, you could put more resources. A cloud provider or a repo owner could put more resources into protecting their mother load, but it’s nevertheless a mother load that makes it more attractive. It’s like a big piece of cheese for those mice. And I think ultimately some of the responsibility has to reside with them. The same way you look at what we did with the Apple App Store and the Google Play Play Store, right? They have a responsibility to make sure that the apps, we think they do anyway, that the apps in there are vulnerability free or not hacked. And when they do come out that they were vulnerable apps in there, we point the finger at Google and at Apple. So anyway, it happens. Anna, for people who want to go get more information on this particular report and stay abreast of the rest of the great stuff you guys do, where can they go?
Anna Belak: Come to Sysdig.com. It is definitely on the website. And reach out to us. We’re around. I’m always happy to chat.
Alan Shimel: Anna, it’s been a pleasure meeting you here in person for the first time. I’ll see you on the Zoom next time, probably. But until then, keep up the great work. You guys, really all kidding aside, and you guys do great, great work.
Anna Belak: Awesome. Thank you for having us.
Alan Shimel: Thank you. Anna Belak. Head of, she runs the cybersecurity research team over at Sysdig. Until then, this Alan Shimel for Techstrong, and we’ll be right back.